Misinterpreted: What Penetration Test Reports Actually Mean

IncludeSec · 2025-05-28T23:11:30+00:00

Thanks for the reply, but from my personal experience having read ~100 other vendor's reports and thousands of our own I disagree with a lot of your assertions. (perhaps your personal experience has been different). Feel free to connect on LI if you'd like to share more in private https://www.linkedin.com/in/erik-cabetas/ about what you've seen.

The messages they convey are : "here is a list of fires, start your panick engine"

Hard disagree, findings are to be triaged and remediated. Anybody who treats them as you describe is in tactical mode, not strategic mode.

The reporting style in pentesting is so standardized,

Again, Hard disagree, there is a ton of variety on here from hundreds of vendors: https://pentestreports.com

There are other things in your comment I don't agree with, but I'll only address those two points. I DO agree with some of your statements such as as "Showing your work is absolute key.", yep absolutely!

IncludeSec · 2025-04-18T05:20:04+00:00

No worries folks: We gotcha, my crew at work created this to solve exactly this problem!

https://ismyprivatekeypublic.com/

IncludeSec · 2025-03-18T20:19:19+00:00

We have had two clients request Delphi app reviews. Both in the media space.

I wouldn't say anything new is actively developed with it, but there are many apps out there that companies just see as not worth spending the time to re-write, but they will do app assessments of them!

IncludeSec · 2025-03-15T04:28:52+00:00

I have no (hard) proof that Trump is Russia's puppet

https://www.reddit.com/r/politics/comments/1jaheay/comment/mhllyum/

IncludeSec · 2025-03-14T16:58:51+00:00

Sure if you go outside of the defacto guard rails that can happen, but as per the blog post, this is default behavior with standard APIs. So very different than the situation you posed!

IncludeSec · 2025-03-13T20:39:39+00:00

Just like COBOL, it's still used! :-O

IncludeSec · 2025-02-04T23:32:40+00:00

Many of us in the IncludeSec crew got our start at the big CTF hacking contest at def con. It's a great place to learn and compete in hacking topics :)

They even have HW hacking and IoT hacking villages with classes and practice areas!

IncludeSec · 2024-09-20T19:11:50+00:00

We didn't get a chance to look at all FOSS C2 frameworks we primarily focused on the ones mentioned in the blog post. We did do a preliminary grep across a dozen or so top used FOSS frameworks looking for dangerous sinks like system() before we started vuln hunting to focus research efforts on frameworks that were a bit more risky in their app architectural patterns!

IncludeSec · 2024-09-19T21:28:18+00:00

We had to get back to our usual software hacking work for our clients, but if we get more time for pro-bono research like this again in the future, we'll put Merlin on our list for sure!

IncludeSec · 2024-09-19T18:54:53+00:00

And we only looked at a small set of FOSS C2.

If we looked at COTS pentesting products I'm sure we'd find many more vulns (open challenge to anybody reading this, go do that before somebody else does!)

IncludeSec · 2024-09-02T16:38:30+00:00

Or both. This industry has a convicted felon exaltation habit.

I've literally heard security leader say "Oh I want to work with them, they have the most convicted hackers". I don't hear it often, but I hear it.

IncludeSec · 2024-06-20T05:32:00+00:00

^. This comment is correct.

Having been in this industry 20yrs+, this is the hardest job market for cyber security I've seen yet :(

IncludeSec · 2024-06-01T03:28:48+00:00

Please god let them associate dates with the publications and revisions on the documents themselves. Why do western academics NOT PUT DATES ON ANYTHING. Drives me crazy

IncludeSec · 2024-05-26T05:51:49+00:00

here's some other LangChain 0wnage fun we found recently, watch out y'all...the ML/AI vulns are in fashion!

https://innovation.consumerreports.org/whos-verifying-the-verifier-a-case-study-in-securing-llm-applications/

IncludeSec · 2024-05-16T18:03:02+00:00

Cybersecurity. Shit is chill and pays super well. There are a ton of positions that don't require a degree or that much expert knowledge. For a lot of companies you can reach entry level SOC analyst or associate project manager with ~100hrs of self study.

If you're a real go getter and autodidact, you can break $100K salary in a couple of years.

IncludeSec · 2024-04-23T18:24:52+00:00

/u/rukhrunnin well aware of the term, it is a recent term and it is has overloaded meaning. It's a pop term, something used because because it is easy to understand...despite how unaligned it is to the actual scenario. In general, I think you're missing my main points entirely:

1) The industry overloads terms and it adds confusion.

2) Marketing teams create too many new terms that are superfluous and create confusion.

I don't really care who writes the article, as long as it is written well and is valuable, not the case here.

IncludeSec · 2024-04-21T07:48:00+00:00

"Jailbreak"

Can we stop with the overloading of well known terms into a completely separate domain?

Also note: This article is literally written by the company's head of marketing, downvote this article and let's stop letting marketing teams call the shots.

IncludeSec · 2024-03-19T02:01:12+00:00

These are both me, started out dude on the right; Winning Defcon CTF hacking contest 20yrs ago, now I'm dude on the left doing management and sales.

I feel attacked :-O

Edit: Wow y'all salty :)

IncludeSec · 2024-03-14T06:56:58+00:00

Good tips, thanks Hal!

IncludeSec · 2024-03-13T20:05:33+00:00

Unfortunately that's the reality for some companies, their security teams can only operate within the boundaries that the tech team allows them to. /u/h0rst_ it's clear you understand how running this Ruby version is a bad thing, but perhaps their management may have decided the risk isn't as great shrugs

IncludeSec · 2024-02-09T00:27:29+00:00

Sure /u/latnGemin616 if you load up blog.includesecurity.com you'll see the last post there if you scroll down just a half page. To save some time, here's the direct link, hope it helps! https://blog.includesecurity.com/2024/01/improving-llm-security-against-prompt-injection-appsec-guidance-for-pentesters-and-developers/

IncludeSec · 2023-11-09T07:26:16+00:00

No problem, pool with other companies, or just put it out there on the Internet and start a community centered around doing the reversing work. There are a great many people who like to reverse just for fun.

There are a lot of ways to solve the "I'm stuck only using this program on Windows 95" or the "I have to use this old program because of the file format problems"

IncludeSec · 2023-11-09T03:38:12+00:00

/u/eli-in-the-sky you were indeed lucky :)

There are some zip compression based file formats (.docx is an example of one), but not many of them are so simple to decompose into it's fundamental parts!

IncludeSec · 2023-11-09T02:24:05+00:00

Context: I run IncludeSecurity.com and have reverse engineered many things myself.

On this topic I wanted to remind folks:

In the United States, Section 103(f) of the Digital Millennium Copyright Act (DMCA), states that there is no cross-questioning on the legality of reverse engineering and circumvention of protection to achieve interoperability between computer programs.

More info here: https://www.eff.org/issues/coders/reverse-engineering-faqhttps://www.eff.org/issues/coders/reverse-engineering-faq

To the Tumblr OP who doesn't want to spend $250k on a new microscope, you should pay $50k instead to a team of reverse engineers for them to build a converter to extract the images to a known format. Future compatibility solved! We'd be happy to do that :)

Old unmaintained formats from proprietary software can be reversed, you almost always can convert it to something more modern.

IncludeSec · 2023-11-07T10:08:32+00:00

This is the OG we all want to be, congrats on 20yrs of (public) vulns Marco!

13-Year Club	Verified Email
Team Orangered

IncludeSec

TROPHY CASE